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[57] ABSTRACT 

A programmed computer secures communications between 
users of a crypto-system in which each user has an associ- 
ated asymmetric crypto-key with a public key portion acces- 
sible to all system users and a corresponding private key 
portion having a first private key portion known only to the 
associated user and a corresponding second private key 
portion. The computer includes a processor programmed to 
generate a temporary asymmetric crypto-key having a first 
temporary key portion and an associated second temporary 
key portion. The computer then encrypts the second tem- 
porary key portion with the first private key portion of a first 
user crypto-key associated with a first user to form a first 
encrypted message. The processor directs the issuance of the 
first encrypted message to a second user having access to the 
second private key portion of the first user crypto-key. The 
processor next applies the public key portion of the first user 
crypto-key to decrypt a second encrypted message generated 
by the second user, which includes the first encrypted 
message encrypted with the second private key portion of 
the first user crypto-key, to thereby authenticate the second 
user to the first user. The computer also includes a storage 
medium for storing the first temporary key portion, and the 
public key portion of the first user crypto-key. 
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COMPUTER SYSTEM FOR SECURING using that user's public-key. ft will be understood by those 

COMMUNICATIONS USING SPLIT PRIVATE familiar with the art that although the terms "encrypt" and 

KEY ASYMMETRIC CRYPTOGRAPHY "decrypt" and derivations thereof are used herein in describ- 

ing the use of public and private keys in an asymmetric 
RELATED APPLICATIONS 5 public key cryptosystcnt the term 4< transform M is commonly 

used in the art interchangeably with the term "encrypt" and 
This application is a continuation-in-part of application the term 'Invert'* is commonly used in the art interchange- 
Ser. No. 08/338,128, filed Nov. 9, 1994, now U.S. Pat. No. ably with the term "decrypt**. Accordingly, as used herein in 
5.535*276. describing the use of public and private keys, the term 

"transform" could be substituted for the term "encrypt" and 
BACKGROUND OF INVENTION 10 the term "invert" could be substituted for the term "decrypt", 

i tz^a ~c t - If sender x wishes to send a message to receiver y, then 

1. Field of the Invention x ♦ 1ooks _ upM y . f ^ ^ wTcornputcs M=E(C,e,) 
The present invention relates generally to securing com- ^ ^ to v ijser y can recover M using its private-key 

munications using cryptography. More particularly, the a by computing C=D(M, <L). An adversary who makes a 

present invention provides a computer and computer pro- copy of C, but does not have d^, cannot recover M. However, 

graniming for enhancing the security of communications in public-key cryptosystems are inefficient for large messages, 

an asymmetric crypto- system and is especially useful in Public-key cryptosystems are quite useful for digital 

enhancing communication security in conventional Ker- signatures. The signer, x, computes S=*(M,d^ and sends 

beros authentication systems. [M,S] to y. User y "looks-up" x's public-key e^ and then 

2. Description of the Related Art 20 checks to see if M=D(S,eJ. If it does, then y can be 
Cryptosystems have been developed for maintaining the confident that x signed the message, since computing S, such 

privacy of information transmitted across a communications that M=D(S,eJ, requires knowledge of d^ x*s private key, 
channel. Often, a symmetric cryptosystem is used for this which only x knows. 

purpose. Symmetric cryptosystems, which utilize electronic Public-key cryptography also provides a convenient way 
keys, can be likened to a physical security system where a of performing session key exchange, after which the key that 
box has a single locking mechanism with a single key hole. was exchanged can be used for encrypting messages during 
One key holder uses his/her key to open the box, place a the course of a particular communications session and then 
message in the box and relock the box. Only a second holder destroyed, though this can vary depending on the applica- 
of the identical copy of the key can unlock the box and x tion. 

retrieve the message. The term symmetric reflects the fact One public key cryptographic system is the Rivest, 
that bom users must have identical keys. Shamir, Adleman (RSA) system, as described in Rivest, 

In more technical terms, a symmetric cryptosystem com- Shamir and Adleman, "A Method of Obtaining Digital 
prises an encryption function E, a decryption function D, Signatures and Public Key Cryptosystems", CACM, Vol 21, 
and a shared secret-key, K. The key is a unique string of data 33 pp 120-126, February 1978. RSA is a public-key based 
bits to which the functions are applied. Two examples of cryptosystem that is believed to be very difficult to break. In 
enriphement/decipherment functions are the National the RSA system the pair (ejNj), is user i's public-key and d\ 
Bureau of Standards Data Encryption Standard (DES) and is the user's private key. Here N, =pq, where p and q are 
the more recent Fast Encipherment Algorithm (FEAL). To large primes. Here also e^lmodVKN,), where <K N iMp- 
transmit a message, M, in privacy, the sender computes ^ l)(q— 1) which is the Euler Toitient function which returns 
OE(M JQ, where C is referred to as the ciphertext Upon the number of positive numbers less man N„ that are 
receipt of C, the recipient computes M=D(CJK), to recover relatively prime to N,. A Carmichael function is sometimes 
the message M. An eavesdropper who copies C, but does not used in lieu of a Euler Toitient function, 
know K, will find it practically impossible to recover M. To encrypt a message being sent to user j, user i will 
Typically, all details of the enciphering and deciphering 45 compute G^M^WxiN, and send C to user j. User j can then 
functions, E and D, are well known, and the security of the perform M=C (< * ) irK>dN, to recover M. User i could also send 
system depends solely on maintaining the secrecy of key, K, the message using his signature. The RSA based signature of 
Conventional symmetric cryptosystems are fairly efficient user i on the message, M, is M*modN,. The recipient of the 
and can be used for encryption at fairly high data rates, message, user j, can perform (M << *W>dN^ < **W)dN ( , to 
especially if appropriate hardware implementations are ^ verify the signature of i on M . 

used. In a typical mode of operation, i sends j, M^^modN, along 

Asymmetric cryptosystems, often referred to as public with M and a certificate C^i.e^X^modNc*, where C is 
key cryptosystems, provide another means of encrypting generated by a Certificate Authority (CA) which serves as a 
information. Such systems differ from symmetric systems in trusted off-line intermediary. User j can recover i's public 
that, in terms of physical analogue, the box has one lock with 55 key from C, by performing (^^xaodS^ as e^ and N CA 
two non-identical keys associated with it For example, in an are universally known. It should also be noted that in an RSA 
RSA system, either key can be used to unlock the box to system the encryption and signatures can be combined, 
retrieve a message which has been locked in the box by the Modifications to RSA systems have been proposed to 
other key. However, the system could be limited to using the enable multi-signatures to be implemented. Such an 
keys in a particular sequence, such that the box can only be 60 approach is described in "Digital Multisignature", C. Boyd, 
locked with the one key and unlocked with the other key. proceedings of the Inst of Math, and its Appl. on Cryptog- 
In public key electronic cryptosystems, each entity, has a raphy and Coding, 15-17 December 1986. The proposed 
private key, <L which is known only to the entity, and a approach extends the RSA system by dividing or splitting 
public key, En. which is publicly known. Once a message is the user private key d into two or more portions, say d a and 
encrypted with a user's public-key. it can only be decrypted 65 d 6 , where d a *d b =*L 

using that user's private-key. and conversely, if a message is "A Secure Joint Signature and Key Exchange System", 
encrypted with a user's private-key, it can only be decrypted now U.S. Pat. No. 5,588.061, see also U.S. patent applica- 
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tion Ser. No. 08/277,808, which is also assigned to the uted Computing Environment (DOE). Consequently, Ker- 
assignee of the present application, modified Boyd' s system, beros can be expected to be among the most widespread 
and made four significant additional points regarding split security systems used in distributed environments over the 
private key asymmetric cryptosystems. Although specifi- next several years. 

cally applied to the two party case, the findings can be s For the sake of clarity, a "siniplified" version of the 
utilized more generally. The first point is that, assuming all Kerbcros protocol described by Neuman and Ts'o in 
operations are modulo N, breaking the joint signature sys- Neuman, B. C. and TVo, T„ "Kerberos: An Authentication 
tern is equivalent to breaking RSA. This is true whether the Service for Computer Networks", n^P Communications, 
attacker is an active or passive eavesdropper or one of the September 1994, will be discussed below. The complete 
system users. It is assumed that key generation is conducted io protocol is described in Kohl, J. T. and Neuman, B. C, 4 The 
by a trusted third party, for example a tamper proof chip, and Kcrberos Network Authentication Service", INTERNET 
the factors of the RSA modulus N and <«N) are discarded rfC 1510, September 1993. Further, the following discus- 
after key generation and not known to any of the system s i on ^ based on Neuman, B. C. andTs'o, T, "Kerbcros: An 
users. The second point is the description of the following Authentication Service for Computer Networks", tttrp 
key exchange protocol: User 1 sends c^m^ 1 to User 2. User 15 Conimunications, September 1994, and for the sake of 
2 recovers m 1 =c 1 4K . Similarly User 2 transmits m^ to User consistency uses almost the same notatioa The fundamental 
1. Each user then computes ro^ftin^ m^), where f is a message exchanges are shown in FIG. 1. In message 1 the 
function like XOR. Page and Plant prove mamematically uscr uses a personal computer or workstation If to request 
that breaking this scheme is equivalent to breaking RSA. a ticket granting ticket (TGT) from an authentication server 
Agamthisistraewhemertoeattacte 20 (AS) 20. The server 20 creates such a ticket TGT, looks up 

eavesdropper or one of the system users. The third point is mc uscr » s p asswon i from the Kcrberos database 30, encrypts 
the introduction of the concept that one of the two users is mc xGT with the password and sends it to the user via the 
a central server which maintains one portion of every user's computer 10 in message 2. The user decrypts the TGT with 
RSA private key. In order to sign a message the user must her password using computer 10, and stores the TGT on 
interact with this server which, it is shown, cannot imper- 25 computer 10, for example on a hard disk or in the random 
sonate the user Having to interact with such a central server access memory (RAM). Then, when the user desires to 
has several important practical advantages, including instant access a service, she sends message 3, which contains the 
revocation without difficult to maintain Certificate Revoca- jcTT to the ticket granting server 40, The server 40 verifies 
tion Lists (CRL), Kent, S., "Privacy Enhancement for inter- the TGT and sends back, in message 4, a service ticket to 
net Electronic Mail: Part II: certificate Based Key 30 access the service server 50, and a session key, encrypted 
Management", INTERNET RFC 1422, February 1993, a ^th me user > s password retrieved from database 30. In 
central point for audit and, as discussed below, a method of message 5 the user presents via computer 10 the service 
providing for digital signatures in an era where smart cards ticket to the server 50, which verifies it and also recovers the 
are not yet ubiquitous. Finally, the paper also proves math- session key from it If mutual authentication is required, the 
ematicaUy that even if one of the two portions, d x , and d^, 35 server 50, in message 6, sends back a message encrypted 
of the private key, d is short, say 64 bits, an eavesdropper ^th the session key. All communications between servers 
will have equal difficulty breaking the split key system as 20, 40 and 50 and computer 10 are via network 60. All 
would be experienced in breaking RSA. As a consequence, communications between servers 20 and 40 and database 30 
a digital signature infrastructure can be buDt where users m preferably by direct cornmunications link, 
who renumber short (8-4 characters) passwords, can inter- 40 jfe Kerberos messages will now be described in further 
act with the central server to create RSA signatures which detail Mcssage x t^wn as_req (request to authentication 
are indistinguishable from those created using a full sue service), c ^| sts ^ 
private key stored on a smart card. 

One syrnmetric cryptosystem is the Kerberos authentica- &ft_req:c^tgMmfi-exp l n 0) 

tion system. Kohl, J. T. and B. C. Neuman, *The Kerberos 45 

Network Authentication Service", INTERNET RFC 1510, <; * ° f • ^^t^ to 

September 1993, which is based on the classic Needham- of the ticket granting service associated with ^ 50, for 
Schroeder authentication protocols, Needham, R. M. and which *<; * a ticket ^antog ticket and 

Schroeder M. D., "Using Encryption for Authentication in tune-exp * mc jested expiry time ofthe ticket, eg. eight 
Large Networks of ComputersTcorrmumications of the 50 hours, and n^a fr«h random number. Tins message is sent 
ACM, v. 21, a 12, Dwxmbcr 1978, with extensions by fom computer 10 injhe clear, and all parts of it are visible 
DeWng^Sacco, D. k Denning and G. M. Sacco, "TimeZ to an eavesdrtjpper. TTie authentication server 20 responds 
tamps in Key Distribution Protocols," Communications of mth Message 2, with 

the ACM, v. 24, n. 8, August 1981, pp. 553-536. The system « L jop:{Kc,igs,tiia« W i , . . . }Kc,{ib,t«>)K<8s (2) 

uses a trusted third party model to perform authentication 55 

and key exchange between entities in a networked where Kc,tgs is the symmetric session key to be shared 
environment, for example, over a local or wide area net- between the ticket granting server (tgs) 40 and the user for 
work. Kerberos uses symmetric key cryptosystems as a the lifetime of this ticket Kc,tgs and the other information 
primitive, and initial implementations use the Data Encryp- is encrypted with symmetric key Kc which is the user's 
tion Standard (DBS) as an interoperability standard, though 60 password, Le. the long term secret which is shared with the 
any other symmetric encryption standard can be used. After Kerberos server. Only a user who knows Kc will be able to 
dose to a decade of effort the Kerberos authentication decrypt this message to obtain Kc,tgs. The key Kc,tgs is also 
system is now a fairly mature system whose security prop- embedded in the ticket Tc,tgs, which in the as_/ep is 
erties have held up fairly well to intense scrutiny. Further, encrypted using Ktgs, a long term key known only to the 
vendors are now delivering Kerberos as a supported product 65 server 20 and the server 40. After decrypting the first part of 
Kerberos has also been adopted as the basis for the security the message on computer 10, the user stores the data 
service by the Open Software Foundation' s (OSF) Distrib- received in the as_jep on computer 10. The main purpose of 
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this process is to avoid storing the long term key Kc on the 
computer 10 where it may be compromised. Rather, the key 
Kc,tgs is used in subsequent communications in lieu of Kc. 
Since Kc.tgs is relatively short lived, the damage an attacker 
can cause by learning this key is significantly less than the 
damage which might be caused by compromise of long term 
key Kc. It is worth observing that the server 20 does not 
verify the identity of the user before responding to a user's 
as_req with a as_rep. Rather server 20 relies on the fact that 
to be able to make any use of the as_rep. the recipient must 
know Kc So not only can an attacker eavesdrop on the 
network to recover as^rep, but can actually get an as_rep 
from the server 20 by sending a fraudulent as_req. The 
attacker can then take the portion of the as_rep encrypted 
with Kc, and attempt to decrypt by taking guesses at Kc 
Since Kc is typically a user selected password, Kc may well 
be a poor password, which the attacker can guess. 

When the client wishes to obtain a ticket to access server 
50, it sends to the server 40, Message 3, 

tga_req:B,timcHsxp T n,-{1t,tgs}Ktgi,{ts . . . }Kc,tgs (3) 

This message consists of the name of the server 50, s, the 
requested expiry time, time-exp, and the random number n, 
in clear text. It also contains the encrypted ticket granting 
ticket {Tc,tgs}Ktgs which was received by the client com- 
puter 10 in the as_jep message. The server 40, which knows 
Ktgs, can decrypt and recover Tc.tgs, which is a valid ticket 
In order to prevent a replay attack in which an attacker might 
gain some benefit by resending a valid {Tc t tgs}Klgs at a 
later time, the tgs^req message also contains an 
authenticator, which is a time stamp, ts, a check sum and 
other data, all encrypted with the session key Kc,tgs. Since 
this session key is embedded in the ticket Tc,tgs, which the 
server 40 has recovered, the server 40 can decrypt the 
authenticator and verify the time stamp and check sum, etc 
By maintaining a cache of recently received authenticators, 
the server 40 can detect replays. 

Having verified the authenticity of the tgs_req, the server 
40 responds with Message 4, 

(ga_j^:{Kc,a4nne-«IMi,s 1 . . . }Kc,t«s,{Tc^}Ka (4) 

This message is very similar in structure and purpose to the 
as rep, message. The first part consists of a session key, 
expiry time, etc., encrypted with Kc,tgs. The client computer 
10 can decrypt this to recover the session key and other 
information. The second portion is a ticket to access the 
server 50, encrypted with the long term key Ks shared by the 
server 50 and the server 40. The client using computer 10 
now constructs Message 5 and sends it to the server 50, as 
follows: 

ap_jeq:{te,ck, . . . }Kc^(Tc^}Ks (5) 

This message is similar to the tgs_req. In that it contains an 
encrypted ticket {Tc,s}Ks which the server 50 can use to 
recover Tcjs, which authenticates the client to the server 50 
and, among other information, contains the session key Kc,s. 
The server 50 then uses Kcs to decrypt the first part of the 
message, the authenticator, which has a time-stamp, ts, a 
check-sum, ck, etc 

Having verified the authenticity of the client, the client 
computer 10 and server 50 are ready to communicate. 
However, in some cases the client may request mutual 
authentication, in which case the server 50 must first respond 
with message 6. 

ap_jep:{ts}Kc,s (6) 
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which is basically proof (hat the server 50 successfully 
recovered Kc,s from the ticket Tc,s, which means the server 
knew Ks, which in turn is proof of authenticity of the server. 
The actual protocol has a number of options and is more 
5 complex, but the basic structure is defined by these six 
messages. Those interested are referred to Kohl , J. T. and B. 
C. Neuman, "The Kerberos Network Authentication 
Service-, INTERNET RFC 15 10, September 1993, for more 
details. 

Kerberos does have limitations, and among the more 
serious ones are (i) compromise of the central trusted on-line 
Kerberos server, or the central Kerberos database, is 
catastrophic, since it retains long term user secrets, (ii) 
Kerberos is vulnerable to password guessing dictionary 
attacks, and (iii) Kerberos does not provide non-repudiation 

15 services, Le. digital signatures. The first limitation is intrin- 
sic to the Needham Schroeder protocol when used with 
symmetric oryptosystems like DBS. The second problem is 
significant because experience suggests that password 
guessing attacks tend to be far more common than most 

20 other forms of attacks, since they are simple and effective. 
Finally, Kerberos was designed to provide authentication 
and key-exchange, but it was not designed to provide digital 
signatures. However, organizations using Kerberos may also 
need to implement digital signatures, and must now main- 

25 tain separate security infrastructures for conventional Ker- 
beros and for digital signatures, which accordingly results in 
significant additional costs. 

Digital Equipment Corporation's SFX system, Tardo, J., 
and K. Alagappan, "SFX Global Authentication Using 

30 Public-Key Certificates**, Proceedings of the 1991 IEEE 
Symposium on Research in Security and Privacy, 1991, is an 
example of a system with a public key infrastructure which 
achieves many of (he same goals as Kerberos without its 
associated limitations. However, the SFX system does not 

35 maintain the standard Kerberos authentication system whose 
security properties have been widely examined. Therefore 
the SFX system is substantially different than the Kerberos 
protocol and the Kerberos source tree. In particular, the SFX 
system's protocol is sufficiently different from Kerberos to 

40 make integration of these systems require a complete 
reworking of the Kerberos protocol. 

Bellovin and Merritt's Encrypted Key Exchange (EKE), 
Bellovin, S. M. and M. Merritt, i4 Encrypted Key Exchange: 
Password-Based Protocols Secure Against Dictionary 

45 Attacks**, Proceedings of the 1992 IEEE Computer Society 
Conference on Research in Security and Privacy, 1992, can 
potentially be integrated with Kerberos to prevent dictionary 
attacks. However, the EKE multi-pass protocol would 
require very significant changes to the Kerberos system. 

so EKE assumes that the participants share a common long 
term secret. 

It has been suggested, by at least one expert Kohl, J. T, 
"The Evolution of the Kerberos Authentication Service**, 
EurOpen Conference Proceedings, May 1991, as quoted in 
55 Schneicr, B., Applied Cryptography: Protocols, Algorithms 
and Source Code in C, John Wiley and Sons, New York, 
1994) that: 'Taking advantage of public-key cryptography 
would require a complete reworking of the [Kerberos] 
protocol**. 

60 It will perhaps also be worthwhile to describe the tax- 
onomy of dictionary type attacks on system security. Dic- 
tionary attacks arc a common form of attack, and it is 
well-known that many systems (e.g. UNIX or Kerberos), 
Morris, R. and K. Thompson. "Password Security: A Case 

63 History", Communications of the ACM, 22(11). November 
1979, are vulnerable, Kara. P. R. and D. C. Feldmeier, 
"UNIX password security— Ten years later**. Advance in 



04/27/2004, EAST Version: 1.4.1 



5,737,419 

7 8 

Cryptology— CRYPTO 89. 0. Brassard (Ed) Lecture Notes A programmed computer and computer programming 

in Computer Science, Springer- Verlag, 1990, to them. instructions arc Deeded which allows the reuse of an authen- 

However, all dictionary attacks are not alike. tication infrastructure for digital signature, that is the same 

There are four parameters to a dictionary attack: The first key(s) should be available for both authentication and digital 

is the known plain text, S, which can take two forms. The 5 signatures and only a single secure database should be 

first form is a string SI which is known in advance to the required for key storage, 

attacker. An example of SI is a string of zeroes. The second Additional needs which can be satisfied by, as well as 

form is a string S2 which is not known to the attacker in other advantages and novel features of, the present invention 

advance, but which will be known when the attack is will become apparent to those skilled in the art from this 

successful. An example of S2 is any string with some form i 0 disclosure, including the following detail description, as 

of predictable redundancy, for instance, a time stamp. well as by practice of the invention. While the invention is 

Another example is a number with particular, easily tested, described below with reference to preferred embodiments, it 

mathematical properties, for instance, a prime, or a non- should be understood that the invention is not limited 

prime with no small factors. The second parameter is the thereto. Those of ordhary skill in the art having access to the 

Sphertext C, typically of the form F(S*) where k is the 13 tc ***^ here* wtt recognize add^on^ ar^cadons, 

^ 1 w • iv. *wi«i a. modifications and embodiments in other fields, which are 

passwordbemg sought J^hkd P^ertsthe password ^ oftbe mveQtion „ ^ claimcd 

space Ptongguessed at The attacker wd tata » P"" £ hcrcln ^ ^respect to which the invention could be of 

p2 Pn, until a pi which is equal to k is found. The fourth significant utility. 

parameter is the function F and its inverse, assuming one 

exists, which are typically public information. Those skilled 20 SUMMARY OF THE INVENTION 

in the art will recognize that important distinctions exist According to the present invention, programmed 

between cases when F is an RSA or similar function rather computers), such as a personal computers), workstation(s) 

than a DES or similar function. or other processing device(s), and computer programming 

These four parameters result in at least two distinct forms are provided for securing communications over a system 

of dictionary attacks. The first is SI type attacks. Here the M having a plurality of users. Each system user has an asso- 

attacker typically computes F(Sl,pi) on all passwords in P dated asymmetric crypto-key, such as an RSA crypto- key, 

until a pi where, F(Sl,pi)=C is uncovered. This is the most with a public key portion and a corresponding private key 

dangerous form of attack since the attacker can (i) recom- portion. Each public key portion is available to the plurality 

pute the F(Sl,pi) for all or many pi and (ii) amortize his of system users, and each private key portion has a first 

attack against several users. UNIX is particularly vulnerable 30 private key portion, which is preferably short in length, e.g. 

to such attacks. The second form of attack is S2 type attacks. 8 to 12 characters, known only to the associated user and a 

Here the attacker is typically cornputing F"*(C,pi) and corresponding second private key portion, 

hoping to find an S2 which can be recognized. The attacker To enhance the security of communications between users 

cannot start computations before C is captured. Further, of a crypto- system, computer programming stored on a 

since C will be different for each instance, no amortizations 33 tangible medium is read by a first user's computer and 

of the attack are possible. The Kerberos system is vulnerable thereby causes the computer to perform in the following 

to this form of attack. manner. Id accordance with its stored r^gramming instruc- 

orjfjTTTVFS of the INVENTION tionfi a ^ uscr ' s c 0 ™** 1 ** generates a temporary asym- 
OBJECIWES OF THE INVENTION metric crypto-key, having a temporary private key portion 
A need exists for a programmed computer and computer ^ ^ ^ associated temporary public key portion. The tern- 
programming instructions which can secure communica- porary public key portion is encrypted, by the first user's 
tions such that the compromise of a central database, such as computer, with the first private key portion of a crypto-key 
the database in a conventional Kerberos system, will not be associated with the first user to form a first encrypted 
catastrophic to overall system security, that is the attacker message. 

will not be able to use a compromised password or crypto- 45 Computcr programming stored on a tangible medium is 

key to impersonate a user. read by a second user's computer, e.g. a security or autfaen- 

A need also remains for a programmed computer and tication server, and thereby causes the computcr to perform 

computer prograrnming instructions which can secure com- ^ mc flowing manner. The second user's computer, in 

munications such that the co mm un i ca t ions are not vulner- accordance with its stored programming instructions, 

able to dictionary attacks. 5q obtains the temporary public key portion by applying the 

A still further need exist far a programmed computer and second private key portion, typically retrieved from a 

computer programming instructions which can secure com- secured database, which may be stored on a storage device 

munications such that one user is authenticated to another within the second user's computcr, and the public key 

user. portion of the first user crypto-key to the first encrypted 

Yet another need exists for a programmed computer and 35 message. This authenticates the first user to a second user, 

computer programming instructions which can secure com- The second user's computer now further encrypts the first 

munications such that digital signatures are facilitated, to encrypted message with the second private key portion of 

provide for non-repudiation, the first user crypto-key to form a second encrypted 

Additionally needed is a programmed computer and corn- message, which serves as a certificate having the temporary 

putex programming instructions which can secure commu- 60 public key signed with both permanent private key portions 

Mentions such that security of conventional Kerberos sys- of the first user's private key. 

terns is enhanced with minimum changes to the standard The first user's computer is now driven by the program- 

Kerberos protocol. ming stored thereon to apply the public key portion of the 

Another need which continues to exist is for a pro- first user crypto-key to decrypt the second encrypted mes- 

grammed computer and computer programming instructions 65 sage so that the first user's computer obtains the temporary 

which can secure communications such that the use of public key portion, thereby authenticating the second user to 

"smart cards" is facilitated. the first user. 
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The second user's computer is next driven by the pro- 
gramming stored thereon to encrypt a message to a third 
user, such as an instruction to provide a ticket far service or 
the desired service itself, and a first symmetric session 
crypto- key, which might also be generated by the second 
user's computer in accordance with the programming 
instructions, with the second private key portion of a third 
user crypto-key associated with the third user to form third 
encrypted message, like the second private key portion of 
the first user crypto-key, the second private key portion of 
the third user crypto-key is preferably accessible and 
retrieved from a secured database. The third user could for 
example be a ticket granting server in a Kerberos system or 
a service server of any type which might require secure 
communications. 

Computer r^gramming stored on a tangible medium is 
read by a third user's computer, e.g. a ticket granting or 
service server, and thereby causes the computer to perform 
in the following manner. The third user's computer is driven 
by the programming stored thereon to encrypt the first 
symmetric session crypto-key with the temporary public key 
portion to form a fourth encrypted message. 

The first user's computer is then driven by the program- 
ming stored thereon to obtain the first symmetric session 
crypto-key by applying the temporary private key portion, 
which only should only be available to the first user's 
computer, to decrypt the fourth encrypted message. The first 
user's computer is also operated to further encrypt the third 
encrypted message with the temporary private key portion to 
form a fifth encrypted message. Additionally, the first user's 
computer encrypts a second message, such as a time stamp, 
with the first symmetric session key to form a sixth 
encrypted message. 

The third user's computer is next driven by the program- 
ming stored thereon to obtain the first message and the first 
symmetric session crypto-key by applying the temporary 
public key portion and the first private key portion of the 
third user crypto-key to decrypt the fifth encrypted message 
and thereby authenticate the first user and the second user. 
The third user's computer is also instructed by the program- 
ming to obtain the second message by applying the first 
symmetric session crypto-key to the sixth encrypted mes- 
sage. 

In accordance with the stored programming instructions, 
the third user's computer now encrypts a third message to 
the fourth user, for example a service server, and a second 
symmetric session key with the second private key portion 
of a crypto-key associated with the fourth user to form a 
seventh encrypted message. The second private key portion 
of the fourth user crypto-key is typically also retrieved from 
a secured database. The third user's computer is also driven 
by the programming to encrypt the third encrypted message 
with the first private key portion of the third user crypto-key 
to form an eight encrypted message. Still further, the third 
user's computer is operated to additionally encrypt the 
second symmetric session key with the first symmetric 
session key to form a ninth encrypted message. 

The first user's computer is driven by the programming 
stored thereon to obtain the first message and the first 
symmetric session key by applying the public key portion of 
the third user crypto-key to the eight encrypted message. 
This authenticates the third user to the first user. The first 
user's computer is also driven to obtain the second sym- 
metric session key by applying the first symmetric session 
key to the ninth encrypted message. The seventh encrypted 
message is further encrypted by the first user's computer 
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with the temporary private key portion to form a tenth 
encrypted message. Additionally, the first user's computer is 
operated to encrypt a fourth message to the fourth user with 
the second symmetric session key to form a eleventh 

5 encrypted message. 

Computer r^ogramming stored on a tangible medium is 
read by a fourth user's computer, e.g. a service server, and 
thereby causes the computer to perform in the following 
manner. In accordance with the stored programming 

10 instructions, the fourth user's computer obtains die third 
message and the second symmetric session crypto-key by 
applying the temporary public key portion along with the 
first private key portion of the fourth user crypto-key to the 
tenth encrypted message. This authenticates the first and 

15 third users to the fourth user. The fourth user's computer is 
next driven to apply the second symmetric session crypto- 
key to the eleventh encrypted message and thereby obtain 
the fourth message. The fourth user's computer is then 
operated to encrypt the seventh encrypted message with the 

^ first private key portion of the fourth user crypto-key to form 
a twelfth encrypted message. 

The first user's computer is driven by the pxograrnming 
stored thereon to obtain the third message and the second 
symmetric session key by applying the public key portion of 

25 the fourth user crypto-key to the twelfth encrypted message. 
This authenticates the fourth user to the first user. The first 
user's computer is also instructed by its programming to 
apply the second symmetric session crypto-key to encrypt 
and decrypt data communicated between the first and fourth 

30 users. 

It should be recognized mat the third user's computer 
could, if desired, also be directed by its progrararning to 
provide the second session key to another user, for example 
the FBI, to allow legal eavesdropping on communications 

35 between the first and fourth users without revealing the 
permanent private key of the first and fourth user. 

In accordance with yet other aspects of the invention, joint 
signatures can be performed by two users, for instance the 
first and second users described above, using the temporary 

40 crypto-key. The first user's computer is driven by the 
programming stored thereon to generate a hash message and 
a time stamp encrypted with the first private key portion of 
the first user's crypto-key to form an encrypted message. A 
signature of the first user is thereby placed on the hash 

45 message. The first user's computer is also driven to encrypt 
the encrypted hash and time stamp message with the tem- 
porary private key portion and with the first private key 
portion of the first user crypto-key to form a further 
encrypted message. The first user's computer is further 

50 driven by the stored programming to encrypt the temporary 
public key portion with the first private key portion of the 
first user crypto-key to form another encrypted message. 

The second user's computer is driven by the prograrriming 
stored thereon to decrypt and obtain the temporary public 

55 key portion by applying the second private key portion and 
the public key portion of the first user crypto-key. Pursuant 
to instructions from the stored programming, the second 
user's computer is next driven to apply the temporary public 
key portion, thus obtained, along with the second private key 

60 portion and the public key portion of the first user crypto-key 
to obtain the encrypted hash message and time stamp, that 
is the second user's computer partially rather than fully 
decrypts the message so that what remains is the hash 
message and time stamp encrypted with only the first private 

63 key portion of the first user's crypto-key. which as discussed 
previously is the signature of the first user on the hash 
message and time stamp. 
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As discussed above, the second user's computer is typi- a second encrypted message. The first user's computer 
cally driven to retrieve the second private key portion of the obtains the first message by applying the public key portion 
first user's crypto- key from the secured database, such as of the user's crypto-key to decrypt the second encrypted 
that provided in conventional Kerberos systems. It also will message and thereby authenticates the third party, 
be understood that the second user's computer will, in 5 Similarly, it may in certain cases be desirable only to 
appropriate cases, also be driven to fully decrypt the mes- require authentication of one user to another. This can be 
sage to ensure that the second user is agreeable to co-signing accomplished by one user's computer encrypting a first 
the message. The second user's computer, in accordance message with the first private key portion of the user's 
with its programming instructions, then further encrypts the asymmetric user crypto-key to form a first encrypted mes- 
partially decrypted message with the second private portion 10 sage* The third party's computer encrypts the first encrypted 
of the first user's crypto-key. The second user has thereby message with the second private key portion of the user's 
also signed the hash message and time stamp. The second crypto-key to form a second encrypted message. A second 
user's computer is now operated to encrypt the jointly user's computer can now obtain the first message by apply- 
signed message with the second temporary key portion. kg * c public key portion of the other user's crypto-key to 
„„,„ . . — 1-„ decrypt the second encrypted message. This authenticates 

T^e first user s comr^ isAiven ^^P^^f u the fi£ user to the seconduser and also verifies thatthefirst 
stored thereon to partially deoypt themessage by applying m is ^ ^ by bom the first user and the third party, 
me temporary private key p^on, thereby leaving only the Au £enticTon of one user to another can also be act»m- 
jomttys^m«sage « me hash message^d^ stamp me ^ ^uK* encrypting a first 

encrypted with me first and secondpnvate key portions of mes ^ ^ ^/pnyate key portion^f the first 
the first user s crypto-key. A still further user s computer, in 20 USff > s asymmetric crypto-key to form a first encrypted 
accordance with its programming, can now decrypt the hash mcS sage. The first user's computer can now encrypt the first 
message and time stamp using only the public key portion of encrypted message with the first private key portion of 
the first user's crypto-key and thereby verify that the hash his/her user crypto-key to form a second encrypted message, 
message and time stamp have been jointly signed. The second user's computer can obtain the first message by 

According to still further aspects of the invention, the 25 applying the public key portion of the first user's crypto-key 
application of the public key portion of the first user crypto- to decrypt the second encrypted message and thereby 
key to decrypt the second encrypted message and obtain the authenticate the first user and verify that the first message is 
temporary public key portion is performed multiple times so signed by both the first user and the third party, 
as to also authenticate the first and second users to the third In still other cases it may be desirable to limit the 
user as well as the fourth user. Preferably, in order to defend 30 utilization of the present invention to temporary key distri- 
against dictionary attacks, the first encrypted message bution. In such a case, a user's computer first generates a 
includes a first random number string concatenated with the temporary asymmetric crypto-key having a temporary pri- 
temporary public key portion, the fourth encrypted message vatc key portion and an associated temporary public key 
includes a second random number string different from the portion. The user's computer encrypts the temporary public 
first random number string concatenated with the first sym- 35 key portion with the first private key portion of the user's 
metric session key, and the ninth encrypted message crypto-key to form a first encrypted message. The third 
includes a third random number string, different from the party's computer encrypts the first encrypted message with 
first and second random number strings, concatenated with the second private key portion of the user's crypto-key to 
the second symmetric session crypto-key. Likewise, the hash form a second encrypted message. Another user' s computer 
message and time stamp signed by the first user, Le. 40 can now obtain the temporary public key portion by apply- 
encrypted with the first private key portion of the first user ing the public key portion of the first user's long term 
crypto-key preferably also has a random number string crypto-key. Each user's computer can now encrypt and 
concatenated to it prior to being further encrypted with the decrypt communications between the two users with one of 
first private key portion of the first user crypto-key and the the temporary key portions. 

temporary private key portion. Similarly, the jointly signed 4s In yet other cases it may be desirable to direct the 
hash message and time stamp preferably has a different implementation of the present invention to symmetric ses- 
random number string concatenated to it prior to being sion key distribution. In this case a temporary asymmetric 
further encrypted with the temporary public key portion. The crypto-key having a temporary private key portion and an 
asymmetric crypto-keys are applied using modular expo- associated temporary public key portion may be generated 
nentiation and the temporary crypto-key has an associated so by the third party's computer. The third party's computer 
expiration time. then encrypts the synunetric session crypto-key with the 

It will be understood mat various features and aspects of second private key portion of a user's long term crypto-key 
the present invention can be implemented together or scpa- to form a first encrypted message. The third party's com- 
rateiy as may be desired for the particular application. puter also encrypts the symmetric session crypto-key with 
Hence, in accordance with the present invention, a computer 35 the temporary public key portion to form a second encrypted 
or computer programming might, in appropriate message. A second user's computer obtains the synunetric 
circumstances, only perform authentication of a user and a session crypto-key by applying the temporary private key 
third party, such as an authentication server. The user's portion to decrypt the second encrypted message and 
computer, in such a case, encrypts a message with the first encrypts the first encrypted message with the temporary 
private key portion of the user's asymmetric crypto-key to 60 private key portion to form a third encrypted message. The 
form a first encrypted message. Hie third party's computer first user's computer obtains the symmetric session crypt o- 
obtains the first message by applying the second private key key by applying the temporary public key portion and the 
portion, and typically the public key portion of the user's first user's first private key portion to decrypt the third 
crypto-key, to the first encrypted message, and thereby encrypted message. Communications between the first user 
authenticates the user to the third party. The third party's 63 and the second user can now be encrypted and decrypted by 
computer then encrypts the first encrypted message with the the each user's computer with the symmetric session crypto- 
second private key portion of the user's crypto-key to form key. 
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Symmetric session distribution can alternatively be an organization's Security Dept.. perhaps the same organi- 

perforrned, in accordance with the present invention, by the zation that issues Photo Ids. using a terminal connected to a 

third party's computer encrypting a first symmetric session secure computer (eg. a computer or processor with a tamper 

key with the second private key portion of a first user's proof chip). A user c could access this terminal, enter her or 

asymmetric crypto-keyto form a first encrypted message 5 name, etc- ^ information is certified by a security 

SZh a second symmetric session key to torn a second officer, whose P^^f 1 ^^ * e ^ 

, l_ j » *„ . . . „ The comDUter then creates an RSA or other public-private 

encrypted message. The second users computer obtains the ^^gawg ^ ^ ^ for a rXord, which 

fir^syinrnetnc session key by Wlymgfce second sym- ^^ s ^e^e^^on of the RSA private key D. 

metric session key to the second encrypted message. The ^ wh ich is the portion of the 

second user's coir^erenaypts mefirst encrypted message 10 ^ ^yTwhlch is stored in a secured database, 

with the temporary private key portion to f orm a tiurd Te ^\ Q as mc Yaksha database. As before, IMDpcD^) 

encrypted message. The first user's computer obtains the ^ ^ ^ fa ^ me autoenticationle^r 

second syinmetric session cryjXo-key by applying thesec- a^ the certifymg authority, it preferably computes 

ond temporary key pordon and the first rmvate tosy portion ^-£]Dca aT^ser's cSate. Any user canTain 

of the first user crypto-key to the third encrypted message. 15 ' me 

Communication ^^^"^ ^ us * public key I^nL to to User's «tifica£ This is a 

can now be encrypted and decrypted by the first and second ^ M ^ on ~ f £ lex stnicture of an actual certifi- 
users' computers with the second symmetric session crypto- fa suffidcnl for p^^ of ^ discussion, Kent, S„ 

'Trivacy Enhancement for Internet Electronic Mail: Part II 

In either of the above cases, if appropriately authorized, 20 Based j^y Management", INTERNET RFC 

the symmetric session crypto-key can be disclosed, by the 1422) February 1993. 

third party, to a third user, such as the Federal Bureau of ^ smart ^ ubiquitous, the user-password 

investigation (FBI), for eavesdropping on the encrypted becomes irrelevant and the security computer can download 

communication. ^ ^ user » s (i ong ) private key directly to a smart card. No 

BRIEF DESCRIPTION OF THE DRAWINGS method of key generation is criti^ to me functioning of the 

present invention, hence the above is only meant to be one 

FIG. 1 is a dfagr»™ of a conventional Kerberos authen- possible scenario. Since the present invention is not vulner- 

tication system. able to the some of the attacks which conventional Kerberos 

FIG. 2 is a diagram of an authentication system according 30 systems are vulnerable to, the user's private key utilized in 

to the present invention, accordance with the present invention will have a longer 

nGS.3Aand3Bareflowdiagranismustratmgmeste|w useful life than in Kerberos. 

for securing communications in accordance with the present Preferably, for every user, there exists a first private 

invention asymmetric crypto-key portion Dc known only to the user. 

FIG 4 is a flow diagram illustrating the steps for fc^nning 35 It will be understood that a user may be a r^n or entity, 

riu. «• is a nw 77-72.1™* w^tT* a server or processor, or a system device such as a switch in 

joint signatures in accordance with the present invention. a ^^^tions network. A second private crypto-key 

FIG. 5 depicts a computer suitable for use as the client portion ^ for every user & stored on a secured database, 

processor depicted in FIG. 2, i e me Yaksha database. Certificates exist on a certifying 

FIG. 6 is a exemplary block diagram of the computer ^ authority's server, which is also referred to as the authenti- 

depicted in FIG. 5. cation server, and possibly on other servers and user 

FIG. 7 depicts a computer suitable for use as the authen- processors, such as a ticket granting server, of the form [c, 

tication server depicted in FIG. 2. Ec, NcJDca, and every user knows Eca,Nca which is the 

FIG. 8 is a exemplary block diagram of the computer certifying authority's public key. All other iittermediate key 

depicted in FIG. 7. 45 generation information has been destroyed, preferably 

^ . * ^ , A „ , „ .... within the safe confines of the tamper proof chip used to 

FIG. 9 depirfs a co^er siuuble for use as the ticket crypto-keys. 

granting server depicted in FIG. 2. * I? 

^ * « . ■ L1 . . The present invention will now be described with refer- 

FIG. 10 is a exemplary block diagram of the computer cnce % ^ 3B ^ 4 nG . 2 is an exemplary 

depicted in FIG. 9. ^ em bodimeiit of the system and FIGS. 3A, 3B and 4 illustrate 

nG. U depicts a computer suitable for use as the service ^ steps performed by the various system components to 

granting server depicted in FIG. 2. provide enhanced system security and flexibility, in accor- 

FIG. 12 is a exemplary block diagram of the computer dance with the present invention, 
depicted in FIG. 11. Referring first to FIG. 2, as shown the system includes a 

nPQrpnmnN np preferred 35 P** 50 ™ 1 computer, workstation or other type of processor 

DESCRIPTION TIffiPREFERRED 110 operated by a user c The processor 110 is connected to 

EMBODIMENT network 60 which is identical to the network shown in FIG. 

For purposes of the following description it should be 1. Hie processor 110 can communicate with an authentica- 

understood that [Message] Kc means the message is tion server 120, ticket granting server 140 and a service 

encrypted using a symmetric cryptosystem, such as DES, 60 server 150 via the network. A YAKSHA database 130 is 

and crypto-key Kc. [Message]Dc means the RSA or some directly linked to the authentication server 120 and the ticket 

other modular exponentiation operator with the correspond- granting server 140. A processor or server 160 is also a user 

ing modulus Nc, Le. [Message] D^MessageJ^modNc. of the system and is connected to the system via the network 

It should also be understood that the crypto-keys arc 60. As noted above, each user, including each server, pref- 

created, as in any public-key cryptosystem, in accordance 65 erably has an asymmetric crypto-key assigned to it The key 

with the established policy. The creation and issuance of is made up of a public-private key pair, the public portion of 

asymmetric crypto-key could for example, be performed by which is known to all users. The private portion of the key 
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is divided into a user portion D c which is known only to the using Dctemp which only it knows, to recover the usual 

applicable user and a second portion which is stored on Kerberos information as indicated in step 270 of FIG. 3A. 

the YAKSHA database 130 and accessible only to the The second portion of message 2* is the ticket granting ticket 

authentication server 120 and ticket granting server 140. encrypted by server 120 with the portion D w of the ticket 

As will be described below, each of the messages trans- * granting server 140 RSA private key which is retrieved from 

mitted in a conventional Kerberos type environment will Yaksha database 130. It should be noted that the user private 

have a corresponding message in the system and method of ^y is not utilized in this transaction or communication 

the present invention. As shown in FIG. 2, these messages other to* 0 m connection with messages 1' and 2\ Nor is the 

are designated 1* through 6\ other portion of this private key, namely, Dcy used again, 

Referring now to FIGS. 1, 2, 3A and 3B, in step 200 of 10 ^ effectrvdy prevendng any a^onary attacks against 

FIG. 3A. a temporary RSA key pair Dctemp, Ectemp and "^fj Dc and Dcy make their >esence Mr since 

Nctemp are generated by processor 110. In Kerberos the they have been used to encrypt and thus sign, the ternperary 

initial asjeq, asrcp message 1 of FIG. 1 is: ^ bUc *** Ectem P and now the user, using processor 110, 

can "sign" messages with the corresponding private tempo- 

Kcrbenw:aa_roq:c t tg5,tin»<xiML (i) 15 rary key Dctemp, which is a regular full size RSA key 

invulnerable to password guessing attacks, without danger 

The corresponding message 1' of FIG. 2 is generated in step of revealing Dc. Further, a message can be sent securely to 

210 of FIG. 3A and transmitted over network 60 by proces- the user c encrypted under Ec.temp, by any entity that sees 

sor 110 of FIG. 2 is: the temporary certificate, 

20 In Kerberos the request, in message 3 of FIG. 1, to the 

Y^a^c,*s,tin^4T^ do ticket granting server 40 takes the form: 

In message 1' TENff-CEOT contams ( C; Ec.temp Nctemp, K^ng^:^^^}^ . . . }Kc,*s (*) 
expiry-time, etc.) where Ectemp, Nctemp is the public 

portion of the temporary RSA private-public key pair which The only modifications to this message 3 made in mes- 

the user c generated on processor 110, and expiry-time, is the 25 sage y 0 f FIG. 2, are to attach the temporary certificate 

time interval or period during which the temporary RSA key TEMP-CERT to the message 3\ and to take the encrypted 

pair is valid. The time interval of validity will vary depend- xicket from message 2\ i.e. PTctgslDtgsy, and to sign it using 

ing on the application but may nominally be set to corre- the temporary private key, Dctemp. The first modification 

spond to one business day or some portion thereof. The allows the ticket granting server 140 to retrieve Ectemp, 

TEMP-CERT is encrypted and hence "signed" with the 30 Nctemp from TEMP-CERT and the second modification 

user's portion of the long term private key, Dc This stmc- guarantees that a compromised authentication server 120 

ture is then concatenated with a random number string n, and cannot generate a valid ticket for a 'fake" user. The resulting 

again "encrypted" with Dc Ac cordingly, an attacker who message which is generated by the user using processor 110 

might later see TEMP-CERT, is prevented from seeing and transmitted over network 60, and as indicated in steps 

[TEMP-CERrjDc and mounting a dictionary attack by 280-300 of FIG. 3A is: 
taking guesses at Dc and checking if (TEMP-CERT]guess= 

(TEMP-OERX]Dc. Yaksha:tas_^:Mii^^ . . . }Kc, 

The authenticatio n serv er 120 receives message 1' and ^[TBMP-aBKrmcpcy (30 

performs [ll[TEMP-CERT]Dc4i]DcJDcy]Ecy], as indicated _ . , . 

in step 220 of FIG. 3A, to recover [TEMP-CERT] Dc and n, 40 The ticket granting server 140 first recovers, for example 

Hie server 120 retrieves D cy from storage in Yaksha data- ^user's permanent certificate, tou^sj^Hc key 

base 130. The server 120 then completes the signature on the P°* 0B J***; A us< ^ us to rcc °^ *? TEMP-CERT in step 

temporary certificate by performing, in step 230 of FIG. 3A, ^J™™ S°iZl£v 3^ 

[[TEMP-CERTJDc]Dcy. Observe that by performing ^t^J^ 13 cont ?? c * 1 ^^^^ «rtifi^te 

[[ rrEMP-CERriDc]E>cy]Ecy and successfuUy^covering 45 TEMP-CHCT to remeve jTc,tgs]DtgsYin step 320 of FIG. 

the TEMP-CERT, the authentication server 120 can authen- ^ »* ^ uscs J* I^ vate key Dgts and pu bUc key 
ticate the user. It should also be noted that, in recovering 

TEMP-CERT, the server 120 recovers Ectemp, Nctemp. , M ^ P 0 ** »e ticket granting service 140 has authen- 

At this point in Kerberos the reply to the user, represented ^ Seated the user, and the tgs_jep message 4 of FIG. 1 is: 

as message 2 in FIG. 1, is: KoWirtga^ifKcAti^^ . . . }KctgM"ft*>Ka (4) 

fcrtewsr-HUL^^ . . . }Kc,{Tt^}Ktgs (2) Message 4 te utilized almost unchanged. For instance, 

Hie corresponding message 2 generated by server 120 of sim P l y bv wptodflg {Tc,s}Ks with [Tc^jDsy. However, in 

FIG. 2 in steps 240 through 260 of FIG. 3A and transmitted 5J sucn a case n^^al authentication is not achieved and a 

via network 60 is: cornpromised server 120 could spoof the user into believing 

it is talking to the server 140 when it is not So the return 

Yabdtt:aa_i«p:[Kc,tgMiQ»-expA . . ■ jEc.tcmp,fifc,tg5jDtgsy f [ message 4 1 of FIG. 2 is formed to contain proof of the 

riEMP^CBRTpcjDcy (?) authenticity of server 140. Since the user processor 110 

It will be observed that the first two components of messages 60 ^ows [TctgsJDtgsy w^ it reeved in 2»0 of 

2 and 2 are identical, except matin message Z, the *7 G ' 3A 113 of \* ♦ the servei -Incompletes the 

encryption is performed usinVmodular exponentiation and ^ T^Z^^L 2 u? 8 tf 

usSduTerenftocys. The third component^ message 2' is ^ rf *** ***** ^ ^ 

the certificate signed by both accessor noEd the ™ ^T*"** ^^"fS^A ? °* ' 

-„ A z . 1 ^ V. c su * indicated in steps 340 — 360 of FIG. 3A is 

server 120 verifying the authenticity of the temporary 65 ^ 

public-private key pair. The processor 110, after receipt of YBkahaitgs^rfKcAtimwatpAs, . . . iKc^fTfc.sjDsy.irifc, 

message 2', can "decrypt" the first part of the message 2' tgsjDtgsyptgs (4*) 
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In appropriate situations, a message 9' requesting access 
to the session key Kc may be forwarded to the server 140 via 
the network 60 from the law enforcement processor or 
server 160. Assuming appropriate authority can be verified, 
such as by using the previously described authentication 5 
process, the server 140 forwards, in message 10 1 , the session 
key to the processor 160 thus facilitating a legal wiretap 
being established on communications between the processor 
110 and the server 150. It will be noted that this allows 
eavesdropping by the law enforcement processor 160 of 10 
communications over the network 60 between processor 110 
and server 150 during the session, without disclosing to the 
law enforcement processor 160 the long term private keys of 
either user. Thus, the long term security of the system has 
not been jeopardized. 15 

The client via processor 110 retrieves message 4 and, for 
example using the server 140 permanent certificate, recovers 
the public key Btgs»Ntgs for server 140 and verifies in step 
370 of FIG. 3A (hat [[Tc.tgs]Dtgsy]Dtgs is the signature on 
a valid ticket Tctgs. 20 

The Kerberos messages 3 and 5 are fundamentally 
identical, the former being a special type of request to a 
server. Similarly, message 5* of FIG. 2 generated by user 
processor 110 is step 380-400 of FIG. 3B and communi- 
cated via network 60 is identical to message 3* of FIG. 2. The 25 
messages 5 of FIG. 1 and 5* of FIG. 2 are: 



18 

Yakrfa • rign_rcqx ,[ [H,ta IDc^ p>c .tempj [THMP- 
CBKT)Dc i qJDc 



Kertm8»i>_req:{tBvck, . . . }Kc,s{Tc,s}Ks 



(5) 



Yakdnu{te*k, , . 
Dcy 



^Atrib^JDsypc.teix^^riEMP-CERTIDc] 

(5*) 30 



It will be noted mat message 5 has a general form which 
is similar to the message 3' generated in steps 280-300 of 
FIG. 3 A. Thus, server 150 will perform steps similar to those 
shown in steps 310-330 of FIG. 3A in corresponding steps 
410-430 of FIG. 3B. These steps will not be further 33 
described to avoid unnecessary duplication. 

Mutual authentication is again mandated and the server 
150 must prove its knowledge of its long term private key 
Ds. As in message 4' of FIG. 2 this is achieved by the server 
150 sending back in message 6* of FIG. 2, via network 60, 40 
the service ticket Tc,s, with the signature completed. This 
allows the authenticity of server 150 to be verified by 
processor 110, in step 450 of FIG. 3B, using the long term 
public key E,N, of server 150. Consequently messages 6 of 
FIG. 1 and € of FIG. 2, the later of which is generated by 
server 150 in step 440, are; 



45 



Kertxxo8:ap_rcp:{ts}Kc I s 
Yakflha:a(Ljep:(rib,B]Dsy]Ds 



(6) 
(«*) 



50 



It will be observed that both messages 4* and 6* are modified 
versions of messages 4 and 6, respectively, which facilitate 
mutual authentication, without having to trust the server 120 
or server 140. 

The forming of joint signatures in accordance with the 55 
present invention will now be described with reference to 
FIGS. 2 and 4. FIG. 4 illustrates the steps performed by the 
various system components to form a joint signature on a 
message and thus provide for non-repudiation. 

Kerberos does not perform joint signatures, so the fol- 60 
lowing messages do not have a Kerberos counterpart Rather 
these messages are a modification of the signature protocol 
described in Page J. and R. Plant, "A Secure Joint Signature 
and Key Exchange System", removed for anonymous 
review. The modified messages significantly improve the 65 
security of the system against a potential dictionary attack. 
The messages are: 



01 

Yaksha ■ Mfln_rep: [ [{ [H,ts ]Dc JDcy jg JBc.tcmp (8*) 

In forming joint signatures, the temporary asymmetric 
crypto-key, generated by processor 110 of FIG. 2, as 
described in step 200 of FIG. 3A, having a private temporary 
key portion Dctemp and an associated public temporary key 
portion Ectemp Nctemp, is utilized. The public temporary 
key portion Ectemp Nctemp is encrypted, as part of the 
temporary certificate TEMP-CERT, with the long term pri- 
vate key portion Dc of the user c to form a first encrypted 
message as in step 210 of FIG. 3A The public temporary 
key portion Ectemp Nctemp is obtained by, for example, the 
authentication server 120 of FIG. 2, by applying the second 
private key portion Dcy and public key portion Ecy Ncy of 
user c to the first encrypted message, as in step 220 of FIG. 
3A, to authenticate user c to the authentication server 120. 
These steps have not been reiterated in FIG. 4. Thus, the 
same temporary public-private key pair are used to perform 
both mutual authentication, as described with reference to 
FIGS. 3A and 3B, and joint signatures between the user and 
the server. 

Preferably, the user c using processor 110, in step 510 of 
FIG. 4, signs, with private key portion Dc known only to 
user c, a hash message H, concatenated, optionally, with a 
time stamp ts to add redundancy to the message, although in 
practice, a signature would often have some well defined 
format and the time stamp may not be necessary. In step 520 
of FIG. 4, the user, via processor 110, concatenates this 
signed message with a random number string n to prevent 
dictionary attacks of the form [H,ts]guess, and then signs 
again with the private temporary key portion Dc.temp. 
Message 7 is formed by adding |[TEMP-CEKr]Dc,n]Dc 
which includes the public temporary key portion Ectemp 
Nctemp as described in step 210 of FIG. 3A. Processor 110 
transmits the message T over the network 60. On receipt of 
message T, the authentication server 120 first unlocks the 
TEMP-CERT, just as in step 220 of FIG. 3A, and recovers 
the temporary public key Ectemp Nctemp. Server 120 uses, 
in step 530 of FIG. 4, the public temporary key portion 
Ectemp to recover [H,ts]Dc and n. The server 120 then, in 
step 540, computes [[H,ts]Dc]Dcy, having retrieved Dcy 
from Yaksha database 130, which serves as the signature of 
server 120 on the hash message and time stamp. Server 120 
then, in step 550 of FIG. 4, concatenates the jointly signed 
hash message and time stamp with a random number string 
n, encrypts the jointly signed message and n using the 
temporary public key Ectemp and transmits this encrypted 
message via network 60. The user can recover the jointly 
signed hash message and time stamp in step 560 by 
applying, via processor 110, the temporary private key 
Dctemp known only to user c, and then verify the authen- 
ticity of the signature using it's long-term public key EcNc. 

FIGS. 5-12 depict exemplary computers suitable for use 
as the client processor 10, and the servers 120, 140 or 150 
shown in FIG. 2. The computers are preferably commer- 
cially available personal computers or high-powered work 
stations. Each computer's processor could, for example, be 
a Pentium™ processor. The computers are depicted as 
having similar hardware configurations, although this is not 
neccsarily required. For example, as WEI be well understood 
by the skilled artisan, it may be desirable for components of 
the respective computers to have attributes such memory 
storage capacity, data transmission rates and/or processing 
speeds which differ. Virtually any commercially available 
keyboard, mouse and monitor can be utilized. A high-speed 
network interface, including a high-speed modem, is pre- 
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fared although not mandatory. One or more of the The inter-operation of the various components of the 
computers, if desired, could also or alternatively include computers depicted in FIGS. 5-12 in implementing the steps 
other components (not shown), such as an optical storage described above with reference to FIGS. 2-4 will now be 
medium or may exclude depicted components. described. Referring first to FIGS. 5 and 6, in order for the 
Each of the computers differ in their respective computer 3 first user to communicate with another user on the Yaksha 
programming instructions. Hence, the functionality of each system, the user enters a command using the keyboard 630 
of the computers described with reference to FIGS. 5-12 or mouse 640, responsive to which the computer program- 
varies from that of the other computers due to the program- ming stored, for example on the ROM 722 drives the 
ming instructions which drive its operation. It will be processor 700 to generate a temporary RSA asymmetric 
recognized that only routine programming is required to to crypto-key pair Dctemp, Ectemp and Nctemp, as described 
implement the disclosed instructions on the described com- in step 200 of FIG. 3 A. 

puters such that the computes are driven by the program- In accordance with the stored programming instructions, 

ming to operate in accordance with the invention* the processor 700 next prompts the user to enter, via 

To avoid unnecessary duplication common features of the keyboard 630 the user's password which is preferably an 

computers depicted in FIGS. 5-12 will be described only 15 8 to 12 character segment of the user's RSA private key, by 

with reference to FIGS. 5 and 6. It should be understood that displaying an inquiry on the monitor 620. Alterati vely, the 

the corresponding components of the computers depicted in user's password D c could be stored on smart card 729a and 

FIGS. 7-12 will be similar. Further, since the computer entered via card reader 729, thereby allowing retrieval of the 

components and configurations are conventional, routine password D c by the processor 700. The use of the smart card 

operations performed by the depicted components will gen- 20 729a for storing the password D c is particularly beneficial if 

erally not be described, such operations being well under- the password is longer than 12 characters or is of a type not 

stood in the art easily remembered by the user. The processor 700 could, if 

Preferably, each of the computers stores its unique pro- desired, be instructed to temporarily store the password D c 
gramming instructions on its ROM or hard disk. Portions of in the RAM 720. Processor 700 is next driven by the stored 
long term crypto-key s are preferably stored in each com- 25 programming to generate encrypted message 1' of FIG. 2, as 
puter on the hard disk. Portions of temporary crypto-keys, described in step 210 of FIG. 3A. The network interface 760 
session keys and other short term data which is required to is directed by the processor 700 to transmit the encrypted 
be processed or otherwise utilized more than once is pref- message over network 60. As discussed above, in message 
erably stored on the RAM. Hie computer 609 or 600", Le. 1* TEMP-CERT contains (cEctemp, Nctemp, expiry-time, 
either of the computers which serve as the authentication 30 etc.). Ec.temp, Nctemp is the public portion of the tempo- 
server 120 or ticket granting server 140 of FIG. 2, could if rary RSA private-public key pair. The expiry-time is the time 
desired include the Kerberos database 130 of FIG. 2 stored interval or period during which the temporary RSA key pair 
preferably on its hard disk. is valid. In encrypted message 1' generated by the processor 

Referring now to FIG. 5, the computer 600 includes a 700, the TEMP-CERT is encrypted and hence "signed" with 

main unit 610 with slots 611, 612 and 613, respectively 35 the user's portion of the long term private key, Dc The 

provided for loading programming or data from a floppy processor 700 also concatenates this structure with a random 

disc 726a, CD 728a and smart card 729a onto the computer number string n, and further encrypts the message with Dc, 

600. The computer 600 also includes a keyboard 630 and all in accordance with instructions from the programming 

mouse 640 which serve as user input devices. A monitor stored on the ROM 7 22. As discussed previously, this 

display 620 is also provided to visually communicate infer- 40 shields [TEMP-CERT] Dc from dictionary attack, thereby 

mation to the user. improving the crypto-system security. 

As depicted in FIG. 6, The computer 600 has a main Referring now to FIGS. 7 and 8, the computer 600' serves 
processor 700 which Is interconnected via bus 710 with as the authentication server 120. Encrypted message 1' is 
various storage devices including RAM 720, ROM 722 and received by the network interface 760* and conveyed to 
hard drive 724 with hard disk 724a, all of which serve as a 45 processor 700\ In accordance with instructions from pro- 
storage medium on which computer programming or data gramming stored on ROM 722', the processor 700 retrieves 
can be stored for access by the processor 700. The main Dcy, Bey from storage, for example on hard disk 724^, and 
processor 700 is interconnected via bus 710 with various performs [[[[TEMP-CERT]I>C4i]I>c]DcylEcyJ, as discussed 
other storage devices such as the floppy disc drive 726, the in step 220 of FIG. 3A. It will be noted that as described, 
CD drive 728 and the card reader 729 which are capable of so hard disk 724a' stores D^ and hence the Yaksha database, 
being controlled by drive controller 750 to read computer although this is not a necessary requirement as the Yaksha 
programming or data stored on a floppy disc 726a, CD 728a database could be stored on or separate from any of the 
or smart card 729ta when inserted into the appropriate slot computes described in FIGS. 5-12. As indicated above, the 
611, 612 or 613 in the unit 610. By accessing the stored processor 700' recovers [TEMP-CERX]Dc and n. The pro- 
computer programming the processor 700 is driven to oper- 35 cesser 700* men completes the signature on the temporary 
ate in accordance with the present invention. certificate by performing [ [TEMP-CERrjDc]Dcy, as dis- 

The processor 700 is also operatively connected to the cussed in step 230 of FIG. 3 A. By performing [[(TEMP- 

key board 630 and/or mouse 640, via input interface 730. The CERT]Dc]Dcy]Ecy and successfully recovering the TEMP- 

display monitor 620 is interconnected to the processor 700, CERT, the user has been authenticated. Further, in 

via display interface 740, to facilitate the display of infor- 60 recovering TEMP-CEKT the processor 700' recovers 

mation to the user. The network interface 760 is provided to Ectemp, Nctemp. 

interconnect the processor 700 to the network 60 depicted in As described in steps 240 through 260 of FIG. 3A, the 
FIG. 2 and accordingly allow communications between the processor 700*, pursuant to instructions from the program- 
computer 600 and other network devices. Since the com- ming stored on ROM 722* next retrieves D w from the 
puter 600 serves as the client processor 110 of FIG. 2, the 65 Yaksha database stored on hard disk 724a* and generates 
network interface allows communications with network message 2'. The third component of message 2' includes the 
servers 120, 140 and 150 of FIG. 2. certificate signed by both the user processor 700 and the 
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authentication server processor 700', and accordingly pro- FIG. 2, as indicated in steps 340-360 of FIG. 3A- Hie stored 
vides verification of the authenticity of the temporary programming now instructs the processor 700" to direct the 
public-private key pair. In accordance with the stored network interface 760" to forward message 4' to the user via 
programming, the processor 700' directs the network inter- network 60. 

face 760' to transmit message 2 to computer 600 via 5 As has been previously discussed, in appropriate 
network 60. situations, a message requesting access to the session key Kc 

The processor 700 receives message 2 via network inter- may be forwarded to the ticket granting server processor 
face 760, and, in accordance with instructions from the 700" via the network 60 from the law enforcement processor 
prc>grarriming stored on ROM 722 retrieves Dctemp from or server 160 of FIG. 2. Assuming appropriate authority is 
storage on, for example, the RAM 720 and decrypts the first 10 verified, perhaps by using the previously described authen- 
part of the message 2* by applying Dctemp, which only it tication process, the processor 700", pursuant to instructions 
knows, to recover the usual Kerberos information as indi- from the stored programming, forwards a message including 
cated in step 270 of FIG. 3A. The second portion of message the session key to the processor 160 thus facilitating a legal 
2 is the ticket granting ticket encrypted by processor 700' wiretap being established on communications between the 
with the portion of the RSA private key for ticket 15 user computer 600 and the service server computer 600 % 
granting server 140. As discussed earlier, the user private which will be described in detail below. Accordingly, legal 
key Dc Dcy are not utilized in this transaction or commu- eavesdropping by the law enforcement processor 160 of 
nication other than in connection with messages 1* and 2', communications over the network 60 during a session are 
thus effectively preventing any dictionary attacks against the facilitated, without disclosing the long term private keys of 
user's private key. However, Dc and Dcy form the signatures 20 either user to the law enforcement processor 160 and jeop- 
on the temporary public key Ectemp. Accordingly, the user ardizing long term system security, 
processor 700, can, without danger of revealing Dc, "sign" The computer 600 retrieves message 4' via network 
messages using the private temporary key Dctemp, which is interface 760. In accordance with the programming instruc- 
a regular full size RSA bey invulnerable to password guess- tions stored on ROM 722, and for example using the server 
ing attacks. Additionally, any entity with access to the 25 140 permanent certificate, processor 700 recovers the public 
temporary certificate can send messages securely to the user key Etgs,Ntgs fox server 140 from hard disk 724a and 
c encrypted under Ec.temp. verifies, as described in step 370 of FIG. 3A, that [[Tc.tgs] 

The processor 700, in accordance with instructions from DtgsyJDtgs is the signature on a valid ticket Tc,tgs. 
the prograniming stored on ROM 722, again retrieves Message $ of FIG. 2 is generated, as described in steps 
Dctemp and generates message 3* of FIG. 2, as indicated in 30 380-400 of FIG. 3B, by the user's computer 600. This 
steps 280-300 of FIG. 3A. Message 3' includes the tempo- message is similar to message 3* of FIG. 2 which, as 
rary certificate TEMP-CERT. This allows the ticket g ranting described above, is likewise generated by the user's corn- 
server 140 to retrieve Ec.temp, Nc.temp from TEMP-CERT. puter 600. Accordingly, the generation of message 5* by 
Message 3' also includes the encrypted ticket from message computer 600 will not be further described. 
2, i.e. [Tc,tgs]Dtgsy. This guarantees that a compromised 35 Service server computer 600"' will decrypt message 5' by 
authentication server 120 does not generate a valid ticket for rxxforrxung steps similar to those performed by ticket grant- 
a 'fake" user. Message 3' is also signed using the temporary ing server computer 600" and as described in steps 310-330 
private key, Dctemp. In accordance with further instructions of FIG. 3A. Accordingly corresponding steps 410-430 of 
from the programming stored on ROM 722, the processor FIG. 3B will not be further described. 
700 directs the network interface 760 to forward message 3' 40 Referring to FIGS. 11 and 12, as with message 4' of FIG. 
to the ticket granting server 140 of FIG. 2 via network 60. 2, mutual authentication is achieved by service server corn- 
Referring to FIGS. 9 and 10, the ticket granting server puter 600"* proving knowledge of its long term private key 
computer 600" receives message 3 1 via network interface Ds. Hence, in accordance with instructions from program- 
760". In accordance with instructions from prograinming rning stored on ROM 722'", processor 700" retrieves Ds, 
stored on ROM 722", processor 700" recovers, for example 45 from for example hard disk 724a"", and generates, as 
from the user's permanent certificate, the user's public key described in step 440, message € of FIG. 2, which includes 
portion EcJNc, and uses this to recover the TEMP-CERT, as the service ticket Tc,s with the signature completed. Pursu- 
described in step 310 of FIG. 3A. As instructed by the stored ant to the stored programming instructions, the processor 
programming, the processor 700" then uses the temporary 700'" directs the network interface 760"* to transmit message 
public key from the temporary certificate TEMP-CERT to 50 6* via network 60 back to the computer 600. The authenticity 
retrieve |Tc,tgs]Dtgsy, as described in step 320 of FIG. 3A. of the service server 150 is verified by the processor 700, in 
The processor, pursuant to further prograrriming instructions accordance with programming instructions stored on ROM 
next retrieves from storage on, for example hard disk 724a", 722 and as described in step 450 of FIG. 3B, by retrieving 
and uses its private key Dgts and public key Etgsjftgs to from storage on, for example, hard disk 724a and applying 
recover the ticket Tctgs, as described in step 330 of FIG. 3A. 55 the long term public key E,N, of server 150. Both messages 
As previously discussed, the ticket granting service 140 has 4' and 6* facilitate mutual authentication, without having to 
now authenticated the user. trust the server 120 or server 140. 

The stored programming on ROM 722" now instructs the The forming of joint signatures in accordance with the 
processor 700" to generate the return message 4* of FIG. 2 present invention will now be described with reference to 
in a manner which includes pa-oof of the authenticity of 60 FIGS. 2, and 4-8. FIG. 4 illustrates the steps performed to 
server 140. In this way a compromised server 120 cannot form a joint signature on a message and thus provide for 
spoof the user into believing it is talking to the server 140 non-repudiation. 

when it is not. Since the user processor 700 already knows In forming joint signatures, computers 600 and 600' 
[TctgslDtgsy which it received as part of message 2', as perform steps 200-220 of FIG. 3A as previously described- 
indicated in step 280 of FIG. 3A, the processor 700" 65 Therefore performance of these steps will not be reiterated, 
completes the signature on this message using its portion of Pursuant to instructions from the prograrnming stored on 
its private key Dgts and generates the tgs_xep message 4' of ROM 722, processor 700, and signs a hash message H, 
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optionally concatenated with a time stamp ts to add redun- term public key. Further, (he authentication server never sees 

dancy to the message* with Dc as discussed in step 510 of the private key portion of the temporary pair. This entire 

FIG. 4. In accordance with the stored programming artifice may disappear once smart cards are ubiquitous, and 

instructions, processor 7f0 next concatenates this signed computations involving a user's private key occur inside the 

message with a random number siring n to prevent dictio- 5 smart card connected to the computer. Also, legal wiretaps 

nary attacks of the form [H,ts]guess, and then again signs the can be established without the disclosure of users' long term 

message with the private temporary key portion Da temp, as private keys. All of the above is achieved, in accordance 

described in step 520 of FIG. 4. As further instructed by the mc P™**** invention, with minimal changes to the 

stored programming, the processor 700 generates message T conventional Kerberos protocol. Preferably, users can 

by adding [[TEMP-€ERT]Dc4i]Dc which includes the pub- 10 rctricvc certificates from a particular server other than the 

lie temporary key portion Ectemp Nctemp as described in authentication server. Alternately, the appropriate certifi- 

step 210 of FIG. 3A. Processor 700 is then instructed by the catcs could be attached to messages from the authentication 

stored progranuning to direct the network interface 760 to server. 

transmit message 7 over the network 60. M Scribed above, the present invention provides a 

Message 7 is received by authenticatioD server processor 15 programmed computer and computer programming for 

700' via network interface 760*. As instructed by the pro- securing communications in which the compromise of a 

gramming stored on the ROM 722', the processor 7<W first database, such as the secured database in a convex 

unlocks the TEMP-CERT, just as described above in the tional Kerberos system, will not be catastrophic to the 

performance of step 220 of FIG. 3A by processor 700*. overaU security. The computer and programming of 

Processor 700' thereby recovers the temporary public key 20 me present invention also make the crypto-system less 

Ectemp Nctemp vulnerable to dictionary attacks and provide a way for one 

In accordance' with further instructions from the stored uscr t0 authenticate itself to another user. The described 
programming, processor 700' uses the public temporary key computer and programming facilitate digital signatures 
portion Ectemp to recover [H4s]Dc and n, as described in befog pkeed on a message and thereby provide for non- 
step 530 of FIG. 4. The processor 700* is now directed by the 23 repudiation. Additionally the computer and prc^ainming of 
stored programming to compute [[H^sJDcjDcy, as described mc P^cnt invention can be implemented to enhance secu- 
in step 540, having retrieved Dcy from Yaksha database ritv m conventional Kerberos systems with mi ni m u m 
stored on hard disk 724a\ The addition of Dcy serves as the changes to the standard Kerberos protocol and are compat- 
signature of server 120 on the time stamped hash message. iblc use of " smart cards". Finally, the described 
In accordance with further instructions from the stored 30 comiwterand programming allow the reuse of an authenti- 
programming, the processor 700' concatenates the jointly cation infrastructure for digital signatures, 
signed hash message and time stamp with a random number It will also be recognized by those skilledin the that 
string n and encrypts the jointly signed message and n using vanous fcatures and zsptcts of the above described inven- 
the temporary public key Ectemp, as discussed in step 550 tion uscd individually or jointly. For example aspects 
of FIG. 4. The stored programming now instructs the pro- 33 of invention relating to authentication, joint signatures 
cessor 700" to direct the network interface 760' to transmit and *V exchange may be implemented together or 
the encrypted message via network 60. individually as may be desired for a particular application. 

The user processor 700 receives the encrypted message Additionally, although in the description of the I*eferred 

via network interface 760 and, in accordance with instruc- embodiments of the invention the public key portion of the 

tions from the programming stored on ROM 722, recovers 40 USCf ' s public/private key pair is applied by specific users, it 

the jointly signed hash message and time stamp as described will be understood that the application of the public key 

in step 560 by retrieving from RAM 720 and applying the P 01 * 0 * of mc uscr ' s pubhe/private key pair in, for example, 

temporary private key Dctemp. The processor 700 is then authentication and key exchange, can often be performed by 

instructed to retrieve it's long-term public key EcNc from ^ a FmaU * *foou& the preferred embodiments are 

the hard disk 724a and verify the authenticity of the signa- 45 described in the context of a Kerberos type system, those 

ture using it's long-term public key EcNc. skilled in the art will recognize that the present invention can 

In accordance with the present invention, in order for a beneficially utilized in any crypto-system having a secure 

user to authenticate itself to the certification or authentica- ccnSnl data base in which to store crypto-keys. 

tion server, and visa versa, the user must reveal knowledge What is claimed: 

of Dc to the server, and the server must reveal knowledge of 50 1. An article of manufacture for securing coinmiinicatioos 

Dcy to the user. Further, when a user receives a ticket from us « s f f a crypto-system having a plurality of users, 

another user it requires proof that the authentication server of said plurality of users having an associated asym- 

has vouched for the ticket, and further, unlike in conven- mctri f. crypto-key with a pubUc key portion and a corre- 

tional Kerberos, requires proof that the user has requested spending pnvate key portion, each public key portion being 

the ticket, i.e. it trusts neither the user nor the authentication 55 accessible to the plurality of system users, each pnvate toy 

server individually, but it trusts the message if both vouch portion having a first private key portion known only to the 

for it. Similarly, the mutual authentication response to the associated user and a corresponding second private key 

initiating user requires a message vouched for by both the portion, comprising: 

other user and the authentication server. computer readable storage medium; and 

However, like in Kerberos, the user's private key Dc is 60 computer programming stored on said storage medium; 

stored for no more than a short, i.e. the minimum, period of wherein said stored computer programming is configured 

time. Hence a temporary RSA private-public key pair is to be readable from said computer readable storage 

generated on the fly, that is on-line in real time, and the user medium by a computer and thereby cause said com- 

and the authentication server collaborate to sign the public outer to operate so as to: 

portion of this temporary key to create a temporary certifi- 65 generate a temporary asymmetric crypto-key having a 

cate that is valid for. say. eight hours. It will be noted that the first temporary key portion and an associated second 

authenticity of this temporary pair is verified using the long temporary key portion; 
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encrypt said second temporary key portion with the first 
private key portion of a first user crypto-key asso- 
ciated with a first user to form a first encrypted 
message; 

direct issuance of said first encrypted message to a 
second user having access to the second private key 
portion of the first user crypto-key, wherein the 
second temporary key portion is obtainable by appli- 
cation of the second private key portion of the first 
user crypto-key to the first encrypted message to 
thereby authenticate the first user to the second user, 
and 

apply the public key portion of the first user crypto-key 
to decrypt a second encrypted message, which 
includes the first encrypted message encrypted with 
the second private key portion of the first user 
crypto-key, to thereby authenticate the second user to 
the first user. 

2. An article of manufacture according to claim 1, wherein 
said stored computer programming is configured to be 
readable from said computer readable storage medium by 
the computer to thereby cause said computer to operate so as 
to: 

apply the first temporary key portion to decrypt a third 
encrypted message, which includes a first symmetric 
session crypto-key encrypted with the second tempo- 
rary key portion, to obtain a first symmetric session 
crypto-key; 

apply the first temporary key portion to encrypt a fourth 
encrypted message, which includes the first symmetric 
session crypto-key encrypted with the second private 
key portion of a third user, to form a fifth encrypted 
message; and 

direct issuance of said fifth encrypted message to said 
third user, wherein the first symmetric session crypto- 
key is obtainable by application of the first private key 
portion of the third user crypto-key and the second 
temporary key portion to decrypt the fifth encrypted 
message and thereby authenticate the first user and the 
second user to the third user. 

3. An article of manufacture according to claim 2, wherein 
said stored computer programming is configured to be 
readable from said computer readable storage medium by 
the comput er to thereby cause said computer to operate so as 
to apply said first symmetric session key to encrypt a first 
communication to the third user, or to decrypt a second 
communication from the third user. 

4. An article of manufacture according to claim 2, wherein 
said stored computer programming is configured to be 
readable from said computer readable storage medium by 
the computer and thereby cause said computer to operate so 
as to: 

apply the first symmetric session crypto-key to decrypt a 
sixth encrypted message, which includes a second 
symmetric session crypto-key encrypted with said first 
symmetric session crypto-key, to obtain the second 
symmetric session crypto-key; 

apply the public key portion of the third user crypto-key 
to decrypt a seventh encrypted message, including the 
first symmetric session crypto-key encrypted with the 
first and the second private key portions of the third 
user, to obtain the first symmetric session crypto-key 
and thereby authenticate the third user to the first user; 

apply the first temporary key portion to encrypt an eighth 
encrypted message, which includes the second sym- 
metric session crypto-key encrypted with the second 



private key portion of a fourth user crypto-key associ- 
ated with a fourth user, to form a ninth encrypted 
message; 

direct issuance of said ninth encrypted message to the 
5 fourth user, wherein the second symmetric session 
crypto-key is obtainable by application of the second 
temporary key portion and the first private key portion 
of the fourth user crypto-key to decrypt the ninth 
encrypted message and thereby authenticate the first 
w user and the second user to the fourth user. 

5. An article of manufacture according to claim 4, wherein 
said stored computer programming is configured to be 
readable from said computer readable storage medium by 
the computer and thereby cause said computer to operate so 

15 as to decrypt a tenth encrypted message, which includes the 
second symmetric session crypto-key encrypted with the 
first and the second private key portions of the fourth user 
crypto-key, by application of the public key portion of the 
fourth user crypto-key to the tenth encrypted message and 

20 thereby authenticate the fourth user to the first user. 

6. A programmed computer for securing communications 
between users of a crypto- system having a plurality of users, 
each of said plurality of users having an associated asym- 
metric crypto-key with a public key portion and a corre- 

23 sponding private key portion, each public key portion being 
accessible to the plurality of system users, each private key 
portion having a first private key portion known only to the 
associated user and a corresponding second private key 
portion, comprising: 
30 a processor for generating a temporary asymmetric 
crypto-key having a first temporary key portion and an 
associated second temporary key portion, for encrypt- 
ing said second temporary key portion with the first 
private key portion of a first user crypto-key associated 
with a first user to form a first encrypted message, for 
directing issuance of said first encrypted message to a 
second user having access to the second private key 
portion of the first user crypto-key, and for applying the 
public key portion of the first user crypto-key to 
decrypt a second encrypted message, which includes 
the first encrypted message encrypted with the second 
private key portion of the first user crypto-key, to 
thereby authenticate the second user to the first user; 
and 

45 storage medium for storing the first temporary key 
portion, and the public key portion of the first user 
crypto-key. 

7. A programmed computer according to claim 6, 
wherein: 

said processor is adapted (i) to apply the first temporary 
key portion to decrypt a third encrypted message, 
which includes a first symmetric session crypto-key 
encrypted with the second temporary key portion, to 
55 obtain the first symmetric session crypto-key, (ii) to 
apply the first temporary key portion to encrypt a fourth 
encrypted message, which includes the first symmetric 
session crypto-key encrypted with the second private 
key portion of a third user crypto-key associated with 
40 a third user, to form a fifth encrypted message, and (iii) 
to direct the issuance of said fifth encrypted message to 
said third user; 
said storage medium is adapted to store said first sym- 
metric session crypto-key; and 
63 the first symmetric session crypto-key is obtainable by 
application of the first private key portion of the third 
user crypto-key and the second temporary key portion 
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to decrypt the fifth encrypted message and thereby 
authenticate the first user and the second user to the 
third user. 

8. A programmed computer according to claim 7, wherein 
said processor is adapted to encrypt a message to or decrypt 
a message from the third user with said first symmetric 
session key, 

9. A programmed computer according to claim 7, 
wherein: 

said processor is adapted (i) to apply the first symmetric 
session crypto-key to decrypt a sixth encrypted 
message, which includes a second symmetric session 
crypto-key encrypted with said first symmetric session 
crypto-key, to obtain the second symmetric session 
crypto-key, (ii) to apply the public key portion of the 
third user crypto-key to decrypt a seventh encrypted 
message, which includes the first symmetric session 
crypto-key encrypted with the first and the second 
private key portions of the third user, to obtain the first 
symmetric session crypto-key and thereby authenticate 
the third user to the first user, (iii) to apply the first 
temporary key portion to encrypt an eighth encrypted 
message, which includes the second symmetric session 
crypto-key encrypted with the second private key por- 
tion of a fourth user crypto-key associated with a fourth 
user* to form a ninth encrypted message, and (iv) to 
direct issuance of said ninth encrypted message to the 
fourth user; 

said storage medium is adapted to store said second 
symmetric session crypto-key, and the public key por- 
tion of the third user crypto-key; and 

the second symmetric session crypto-key is obtainable by 
application of the second temporary key portion and 
first private key portion of the fourth user crypto-key to 
decrypt the ninth encrypted message and thereby 
authenticate the first user and the third user to the fourth 
user. 

1#. A programmed computer according to claim 9, 
wherein said processor is adapted to apply the public key 
portion of the fourth user crypto-key to decrypt a tenth 
encrypted message, which includes the second symmetric 
session crypto-key encrypted with the first and the second 
private key portions of the fourth user crypto-key, to obtain 
the second symmetric session crypto-key and thereby 
authenticate the fourth user to the first user. 

11* An article of manufacture for jointly signing commu- 
nications between users in a crypto- system having a plural- 
ity of system users, each said user having an associated 
asymmetric crypto-key with a public key portion and a 
corresponding private key portion, each public key portion 
being accessible to the plurality of system users, each private 
key portion having a first private key portion known only to 
the associated user and a corresponding second private key 
portion, comprising: 

computer readable storage medium; and 

computer programming stored on said storage medium; 

wherein said stored computer prograrnming is configured 
to be readable from said computer readable storage 
medium by a computer and thereby cause said com- 
puter to operate so as to: 

generate a temporary asymmetric crypto-key having a 
first temporary key portion and an associated second 
temporary key portion; 

apply to the first private key portion of a first user 
crypto-key associated with a first user to encrypt said 
second temporary key portion to form a first 
encrypted message; 
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direct issuance of the first encrypted message to a 
second user having access to the second private key 
portion of the first user crypto-key; 
apply the first private key portion of the first user 
5 crypto-key to encrypt a hash message to form a 

second encrypted message, and thereby place a sig- 
nature of the first user on the hash message; 
apply said first temporary key portion to encrypt said 
second encrypted message to form a third encrypted 
10 message; 

direct issuance of the third encrypted message to the 

second user; and 
apply the public key portion of the first user crypto-key 
to decrypt a fourth encrypted message, which 
15 includes the second encrypted message encrypted 

with the second private key portion of the first user 
crypto-key, to obtain the hash message to thereby 
verify the joint signatures of the first and the second 
users on the hash message; 
20 wherein, the second temporary key portion is obtain- 
able by applying the second private key portion of 
the first user crypto-key to decrypt the first encrypted 
message and thereby authenticate the first user to the 
second user, and the second encrypted message is 
25 obtainable by applying said second temporary key 

portion to decrypt the third encrypted message. 
12. A programmed computer for jointly signing commu- 
nications between users of a crypto- system having a plural- 
ity of users, each of said plurality of users having an 
30 associated asymmetric crypto-key with a public key portion 
and a corresponding private key portion, each public key 
portion being accessible to the plurality of system users, 
each private key portion having a first private key portion 
known only to the associated user and a corresponding 
33 second private key portion, comprising: 

a processor (i) for generating a temporary asymmetric 
crypto-key having a first temporary key portion and an 
associated second temporary key portion, (ii) for apply- 
ing the first private key portion of a first user crypto-key 
40 associated with a first user to encrypt said second 
temporary key portion to form a first encrypted 
message, (iii) for directing issuance of the first 
encrypted message to a second user having access to 
the second private key portion of the first user crypto- 
45 key, (iv) for applying the first private key portion of the 
first user crypto-key to encrypt a hash message to form 
a second encrypted message, and thereby place a sig- 
nature of the first user on the hash message, (v) for 
applying said first temporary key portion to encrypt 
50 said second encrypted message to form a third 
encrypted message, (vi) for directing to issuance of the 
third encrypted message to the second user, and (vii) for 
applying the public key portion of the first user crypto- 
key to decrypt a fourth encrypted message, which 
55 includes the second encrypted message encrypted with 
the second private key portion of the first user crypto- 
key, to obtain the hash message and thereby verify the 
joint signatures of the first and the second users on the 
hash message; and 
60 storage medium for storing the first temporary key 
portion, and the public key portion of the first user 
crypto-key; 

wherein, the second temporary key portion Is obtainable 
by applying the second private key portion of the first 
65 user crypto-key to decrypt the first encrypted message 
and thereby authenticate the first user to the second 
user, and the second encrypted message is obtainable 
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by applying said second temporary key portion 
decrypt the third encrypted message. 

13. An article of manufacture, for authenticating users of 
a system having a plurality of system users, each said user 
having an associated asymmetric crypto- key with a public 
key portion and a corresponding private key portion, each 
public key portion being accessible to the plurality of system 
users, each private key portion having a first private key 
portion known only to the associated user and a correspond- 
ing second private key portion known only to a trusted third 
party, comprising: 

computer readable storage medium; and 
computer programming stored on said storage medium; 
wherein said stored computer programming is configured 
to be readable from said computer readable storage 
medium by a computer and thereby cause said com- 
puter to operate so as to: 

apply the first private key portion of a first user crypto- 
key associated with a first user to encrypt a first 
message to form a first encrypted message; 

direct issuance of said first encrypted message to said 
trusted third party; and 

apply the public key portion of the first user crypto- key 
to decrypt to a second encrypted message, which 
includes the first encrypted message encrypted with 
the second private key portion of the first user 
crypt o-key, to obtain the first message and thereby 
authenticate the trusted third party to the first user; 

wherein the first message is obtainable by applying the 
second private key portion of the first user crypto- 
key to decrypt the first encrypted message and 
thereby authenticate the first user to the trusted third 
party. 

14. An article of manufacture according to claim 13, 
wherein the first message is obtainable by applying the 
public key portion of the first user crypto-key to decrypt the 
second encrypted message and thereby authenticate the first 
user to a second user. 

15. A programmed computer for authenticating users of a ^ 
system having a plurality of system users, each said user 
having an associated asymmetric crypto-key with a public 
key portion and a corresponding private key portion, each 
public key portion being accessible to the plurality of system 
users, each private key portion having a first private key 45 
portion known only to the associated user and a correspond- 
ing second private key portion known only to a trusted third 
party, comprising: 

a processor (i) for applying the first private key portion of 
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public key portion of the first user crypto-key to decrypt the 
second encrypted message and thereby authenticate the first 
user to a second user. 

17. An article of manufacture for securing communica- 
tions between users of a system having a plurality of system 
users, each said user having an associated asymmetric 
crypto-key with a public key portion and a corresponding 
private key portion, each public key portion being accessible 
to the plurality of system users, each private key portion 
having a first private key portion known only to the asso- 
ciated user and a corresponding second private key portion 
known only to a trusted third party, comprising: 
computer readable storage medium; and 
computer programming stored on said storage medium; 
wherein said stored computer programming is configured 
to be readable from said computer readable storage 
medium by a computer and thereby cause said com- 
puter to operate so as to: 
generate a temporary asymmetric crypto-key having a 
first temporary key portion and an associated second 
temporary key portion; 
apply the first private key portion of a first user crypto-key 
associated with a first user to encrypt said second 
temporary key portion to form a first encrypted mes- 
sage; 

direct issuance of said first encrypted message to the 
trusted third party; 

apply said first temporary key portion to encrypt a first 
communication to form a first encrypted communica- 
tion or to decrypt a second communication, including a 
communication encrypted with said second temporary 
key portion, to obtain said second communication; and 

direct issuance of said first encrypted communication to a 
second user; 

wherein, said second temporary key portion is obtainable 
by applying the public key portion of the first user 
crypto-key to decrypt a second encrypted message, 
which includes the first encrypted message encrypted 
with a second private key portion of the first user 
crypto-key. 

lft. a programmed computer for securing communica- 
tions between users of a system having a plurality of system 
users, each said user having an associated asymmetric 
crypto-key with a public key portion and a corresponding 
private key portion, each public key portion being accessible 
to the plurality of system users, each private key portion 
having a first private key portion known only to the asso- 
ciated user and a corresponding second private key portion 



a first user crypto-key associated with a first user to ^ known only to a trusted third party, comprising: 



encrypt a first message to form a first encrypted 
message, (ii) for directing issuance of said first 
encrypted message to said trusted third parry, and (iii) 
for applying the public key portion of the first user 
crypto-key to decrypt a second encrypted message, 
which includes the first encrypted message encrypted 
with the second private key portion of the first user 
crypto-key, to obtain the first message and thereby 
authenticate the trusted third party to the first user; and 

storage medium for storing the public key portion of the 
first user crypto-key and the first message; 

wherein the first message is obtainable by applying the 
second private key portion of the first user crypto-key 
to decrypt the first encrypted message and thereby 
authenticate the first user to the trusted third parry. 

16. A programmed computer according to claim 15, 
wherein the first message is obtainable by applying the 
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a processor (i) for generating a temporary asymmetric 
crypto-key having a first temporary key portion and an 
associated second temporary key portion, (ii) for apply- 
ing the first private key portion of a first user crypto-key 
associated with a first user to encrypt said second 
temporary key portion to form a first encrypted 
message, (iii) for directing issuance of said first 
encrypted message to the trusted third party, (iv) for 
applying said first temporary key portion to encrypt a 
first communication to form a first encrypted commu- 
nication or to decrypt a second communication, includ- 
ing a communication encrypted with said second tem- 
porary key portion, to obtain the second 
communication, and (v) for directing issuance of said 
first encrypted communication to a second user; and 
storage medium for storing said first temporary key 
portion; 
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wherein, said second temporary key portion is obtainable 
by applying the public key portion of the first user 
crypto-key to decrypt a second encrypted message, 
which includes the first encrypted message encrypted 
with a second private key portion of the first user 
crypto-key. 

19. An article of manufacture for authenticating users of 
a system having a plurality of system users, each said user 
having an associated asymmetric crypto-key with a public 
key portion and a corresponding private key portion, each 
public key portion being accessible to the plurality of system 
users, each private key portion having a first private key 
portion known only to the associated user and a correspond- 
ing second private key portion known only to a third party, 
comprising: 

computer readable storage medium; and 

computer programming stored on said storage medium; 

wherein said stored computer programming is configured 
to be readable from said computer readable storage 
medium by a computer and thereby cause said com- 
puter to operate so as to: 

apply the second private key portion of a first user 
crypto-key associated with a first user to decrypt a 
first encrypted message, which includes a first mes- 
sage encrypted with the first private key portion of 
the first user crypto-key, and thereby authenticate the 
first user to the third party; 

encrypt the first encrypted message with the second 
private key portion of the first user crypto-key to 
form a second encrypted message; and 

direct issuance of the second encrypted message to the 
first user, wherein the first message is obtainable by 
application of the public key portion of the first user 
crypto-key to decrypt the second encrypted message 
and thereby authenticate the third party to the first 
user. 

20. A article of manufacture for authenticating users of a 
system according to claim 19, wherein said third party is an 
authentication server. 

21. A programmed computer for authenticating users of a 
system having a plurality of system users, each said user 
having an associated asymmetric crypto-key with a public 
key portion and a corresponding private key portion, each 
public key portion being accessible to the plurality of system 
users, each private key portion having a first private key 
portion known only to the associated user and a correspond- 
ing second private bey portion known only to a third party, 
comprising: 

a storage medium for storing the second private key 
portion of a first user crypto-key associated with a first 
user; and 

a processor (i) for applying the second private key portion 
of the first user crypto-key to decrypt a first encrypted 
message, which includes a first message encrypted with 
the first private key portion of the first user crypto-key, 
and thereby authenticate the first user to the third party, 
(ii) for encrypting the first encrypted message with the 
second private key portion of the first user crypto-key 
to form a second encrypted message, and (iii) for 
directing issuance of the second encrypted message to 
the first user, wherein the first message is obtainable by 
application of die public key portion of the first user 
crypto-key to decrypt the second encrypted message 
and thereby authenticate the third party to the first user. 
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22. An article of manufacture for authenticating users of 
a system having a plurality of system users, each said user 
having an associated asymmetric crypto-key with a public 
key portion and a corresponding private key portion, each 

3 public key portion being accessible to the plurality of system 
users, each private key portion having a first private key 
portion known only to the associated user and a correspond- 
ing second private key portion known only to a third party, 
comprising: 

10 computer readable storage medium; and 

computer programming stored on said storage medium; 
wherein said stored computer programming is configured 
to be readable from said computer readable storage 
medium by a computer and thereby cause said com- 
13 puter to operate so as to: 

apply die second private key portion of a first user 
crypto-key associated with a first user to encrypt a 
first encrypted message, which includes a first mes- 
sage encrypted with a first private key portion of a 
20 first user crypto-key, to form a second encrypted 

message; and 

direct issuance of said second encrypted message to a 
second user, wherein the first message is obtainable 
by applying the public key portion of the first user 
25 crypto-key to decrypt the second encrypted message 

and thereby authenticate the first user to the second 
user. 

23. An article of manufacture for authenticating users of 
a system according to claim 21, wherein by obtaining said 

30 first message the signature of both the first user and the third 
party on the first message is verified. 

24. An article of manufacture for authenticating users of 
a system according to claim 21, wherein said third party is 
an authentication server. 

35 25. A programmed computer for authenticating users of a 
system having a plurality of system users, each said user 
having an associated asymmetric crypto-key with a public 
key portion and a corresponding private key portion, each 
public key portion being accessible to the plurality of system 

40 users, each private key portion having a first private key 
portion known only to the associated user and a correspond- 
ing second private key portion known only to a third party, 
comprising: 

storage medium for storing the second private key portion 
45 of a first user crypto-key associated with a first user, 
and 

a processor for applying the second private key portion of 
the first user crypto-key to encrypt a first encrypted 
message, which includes a first message encrypted with 

50 the first private key portion of the first user crypto- key, 
to form a second encrypted message, and for issuing 
said second encrypted message to a second user, 
wherein the first message is obtainable by applying the 
public key portion of the first user crypto-key to 

55 decrypt the second encrypted message and thereby 
authenticate the first user to the second user. 

26. A programmed computer according to claim 24, 
wherein the application of die second private key portion of 
the first user crypto-key to encrypt the first encrypted 

60 message serves as a signature of the third party on said first 
message. 

27. A programmed computer according to claim 24, 
wherein said third party is an authentication server. 

* * * * * 
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